Mayayana said:
Whose hosts file? Your own compilation that you maintain (build,
verify, add, delete)? Or a pre-compiled hosts file, like the MVPs one?
Good riddance. I rarely enable script and don't want
1/4 MB of jquery crap loading with every page. There are
an increasing number of webpages that are not actually
webpages at all but rather are complex javascript programs,
often with obfuscated code.
They're called dynamic web pages (instead of static content). The page
modifies it content based on the visitor. It also helps to protect
THEIR property from thieves that want to steal (copy) it. It's not an
ideal lock but neither is the one on your car.
If people can't make a site that works without script then
in the vast majority of cases I don't need them.
A chisel, hammer, and stone still work, too, to write and communicate.
Gladly we've evolved a long ways beyond that. I know layman that feel
like you do that they don't need all the fluff available today. I grew
up with computers and have worked on or with them ever since, so even
being old fuddy duddy doesn't mean I've become staid but instead have
become accustomed to constant change.
Would you still want to be using that old wringer-washer your grandma
used when she was young or that automatic cycled laundry machine you now
have? The old one was very simple to use: just an on-off switch and a
hand-operated wringer. The new ones can be daunting to figure out what
to select for all the options: hose temperature mix or sensor-measured
temperature, 2nd rinse cycle or not, varying agitator speeds, etc. The
old one was simple but would you want to be using it?
Why are you using one of the latest web browsers instead Lynx?
In the rare
cases where I really have to enable script, I fire up Firefox.
I've got FF pre-configured to be generally functional, allowing
cookies, script, 3rd-party images, IFRAMES, etc. I have Pale
Moon set to block all those things. 99% of the time I use PM.
Did you also disable DOM storage in Pale Moon? All the major web
browsers have supported DOM storage for quite a while now, like Internet
Explorer, Chromium, and Firefox. Since Pale Moon is a variant of
Firefox then it probably supports DOM storage (far superior for a site
to store their info on your host than using the limited size of
cookies).
http://en.wikipedia.org/wiki/DOM_storage
In IE, it's an easy advanced setting that can be enabled or disabled.
In Firefox, and probably the variants, like Pale Moon, you have to delve
into the config editor to set dom.storage.enabled = FALSE.
Do you also somehow rotate or modify your web browser's User Agent
string, change identification of your OS and web browser version, your
IP address each time you connect to a site (and have the new one in a
different geographic locale), block the Referer string, somehow modify
the window title (an object attribute) of the doc frame for the web page
display area in the web browser to prevent it being used as a substitute
for Referer, and so on and on so that a site cannot establish a
"fingerprint" of you to either reuse later or provide as demographics to
their advertisers? Disabling Javascript eliminates the attributes that
venue grants in adding to your fingerprint but not eliminate the use of
a fingerprint, especially across a history of visits. You might want to
visit the Panoptclick site to check on how anonymous you think you are.
https://panopticlick.eff.org/
My IE11 as it is configured (without DOM storage) still provides 22 bits
of identification of my Internet identity. Even with DOM storage
enabled, my score is still only 22 yet DOM storage means a site can
always identity you specifically when you revisit them. They don't need
any other tricks to identify you upon your return. DOM storage is like
the nuclear bomb. The only reason why it your web browser hasn't become
radioactive is not many sites have yet started using DOM storage
although it's been available for quite awhile. IE had it first and
Mozilla followed. It was supposed to, for example, allow a site to know
your account details upon your return, a order that's still in progress
(i.e., you left without cancelling or completing your order), show you
the ebook you were last reading at the page you left at, and so on. It
was to provide convenience but, of course, it has its dark uses, too.
What's your score? I don't play with the User Agent string to conceal
my web browser, its version, and OS. Too often I've found sites that
will malfunction because their table of UAs don't have the one that I
picked or customized. They don't know which version of [a portion of]
their web page to present to me when they can't tell which web browser
I'm using to connect to them. I have a shortcut to load IE with
scripting disable, meta-refresh disabled, all add-ons disabled, and uses
Private Browsing mode. When I use that throttled instance of IE at
Panoptclick, my score goes down to 19.02 bits in my fingerprint. The
more bits, the more unique is the fingerprint identification. Of
course, you and I are discussing topics that the vast majority of users
don't know about or ever heard about. Cookies is about all they know
might be a privacy issue.
Since you disable Javascript (but obviously have the option to enable it
on that web page that you just have to see or use), presumably you also
have nothing in Pale Moon to support Flash. If you do support Flash,
have you configured it so sites can't store anything on your host using
the .sol cookies? Some sites simply won't function without storing some
of their variables on your host when Flash is used. You could allow
Flash to store some cookies but then follow a web session with a cleanup
utility, like CCleaner, that gets rid of the .sol cookies (except, of
course, the one used to store your configuration of the Flash player).
I've hit some sites where almost their entire content is Flash. Of
course, that would be one of those sites you claim that you would never
visit again (since you'd have to visit the site at least once to know it
was a site you won't revisit, and the same for knowing which sites not
to visit that are heavy into AJAX to provide dynamic web pages).
There is a lot of shit that can be used to identify you (whether it is
your or an recurrent "Internet identity"). It can be quite a waste of
time to eliminate all possible methods for some perceived violation of
your privacy for your choices of where to visit.
| It is unlikely that someone would be so stupid
| as to block jquery......
| I feel those trying to block
| all ads (3rd party content) at the sites they chose to visit are over
| sensitive. They don't like the Mona Lisa so they're going to spray
| paint the parts they don't want to see. They're modifying someone
| else's property.
Wow, you sure do have a lot of strong opinions on this subject.
Everyone who doesn't do it exactly your way is stupid, exploitive,
or both. I'm grateful that you're not policing the Internet.
I've seen users get irate because, gee, they got 1 spam per week rather
than they share of the 50 billion that are sent every week. There are
folks that want to eliminate every ad or 3rd party content that shows in
any web page that any user has ever visited despite it is not their
property. Just like you said as your resolution, don't go there.
However, even you realize that for the general users that "don't go
there" really isn't a viable solution.
If I were policing the Internet, I'd first force every advertiser to be
polite in their content. No flashing or animation, sound, or other
deliberate method to distract a visitor, no expanding content outside of
the region the web site allocated for their content. If ads had
remained unobtrusive then users wouldn't have complained about their bad
behavior and we wouldn't be trying to make polite a site that is not.
https://adblockplus.org/en/acceptable-ads#criteria
Rather than trying to "vote" on what are good versus bad ads, and
because I is da poleece, I'd make them obey those rules ... as a start.
For now, you and I and many others like us are Buzz Lightyear aiming our
LED "laser" thinking we're doing any damage to the trackers. We take
satisfaction that we can somewhat modify what we see but sometimes, and
sometimes too often, cause misbehavior due to that modification, like
playing Jenga with a web site: what can I pull out before it falls.
I rarely enable script. I block 3rd-party content. I'm not
blocking any honest ads that are actually on the websites I
visit. I don't filter ads. I filter 3rd-party content. Some sites,
it's true, don't look so good because they have integral images or
CSS coming from other domains. But in general I find the sites I
visit work fine, don't need script, and don't jump around or pop
up windows. Without script it's a lot more civilized. It's also a
lot safer. With script you're a sitting duck in two ways: 1) It's
nearly impossible to go online safely. 2) Allowing script allows
websites to impose all sorts of dynamic activity that is often
at odds with the site's functionality. (For instance, Netflix
is a beautifully done site that uses script to make the site work
well. But many sites are just using script to run cartoons,
change the content periodically, animate ads, run videos, or
do various other things that actually make the webpage itself
unreadable.)
Tis why I have shortcuts that disable features in the web browser before
I visit an unknown and untrusted web site. Yes, I still use Internet
Explorer because it is secure (you must be thinking how it was back
pre-IE7). I have shortcuts for:
- Unfettered use (all features enabled except those specifically
configured to be disabled, like DOM storage).
- InPrivate Mode.
- InPrivate Mode + No Add-ons Mode
- InPrivate Mode + No Scripting + No Meta-Refresh
- InPrivate Mode + No Add-ons Mode + No Scripting + No Meta-Refresh
I'll admit that the NoScript add-on for Firefox lets me default that web
browser from allow scripts and Flash but I would have to whitelist every
site in my Favorites (about 250 of them). Like a firewall with HIPS,
I'd be manually configuring for awhile until the protection became
quiescent. The problem with Firefox that as soon as I install it then I
find at least 6 add-ons are required before I get back the features lost
in Firefox that are in IE. Each add-on consumes more space (I think the
minimum is like 6KB just for the presence of an add-on) and each gets
replicated in each shell so Firefox can eat up quite a bit of memory.
Plus add-ons, like Adblock Plus, will signifcantly slow the load of FF:
the size of the subscription (blacklist) and the number of subscriptions
affect load time because all those entries get loaded into memory
(another reason for bloat in FF's memory footprint). I've noticed no
increased memory footprint or slowness in loading IE by using TPLs
(which use the same blacklists to which I subscribed in Adblock Plus for
FF). Scripting is faster in FF (although the benchmarks showing the web
browser bouncing around) but then you wouldn't care because you disable
scripting. If I hit a site that is so script intensive, like massive
looping, then I add it to the Restricted Sites security zone (a concept
not available in FF or Chrome) to kill scripting at that site assuming I
even want to go back there.
In fact, there are security settings in IE that have been around for 12
years before Mozilla got off their ass to add them, like letting users
decide if mixed content is allowed in a web page that was supposed to be
delivered via HTTPS. A page is secure or it is not secure, not
somewhere between. Google still doesn't provide the option. I can
disable meta-refresh to eliminate the use of interstitial pages which
can be abused to show ad pages before you get to the intended
destination page. I think Firefox has that, too, but neither IE or
Firefox tell you to where the redirection goes for the user to know if
they want to allow it or not. Back for IE6/7, there was the IE7Pro
add-on to IE that would let me know to where the redirection went and
let me kill the redirection or allow it. I knew where it went so I
could decide. Alas, it got abandoned it and I really miss it. It was
just as usable, if not more, than NoScript for FF and long before
NoScript even showed up. Google's Chrome won't let you disable
meta-refresh.
As for other limitations with a HOSTS file, like needing to
dynamically change it, I just don't find that. I don't disable
it or comment out domains because I simply don't need to.
But others do. I wasn't commenting on the use of a hosts file for one
person's criteria. BillW50 already expressed a need to modify the hosts
file that I've seen many times before. The pre-compiled list doesn't
exactly fit his needs at the sites he revisits. He and others have to
comment out entries to get the wanted sites to render or behave
correctly. I'm pointing out some of the deficiencies of using a hosts
file. You get buy without editing it. Others cannot. If they get a
new version of the pre-compiled list or use a hosts file updater tool
then they lose all their edits and those pages fail again.
By the way, what do you use to eliminate advertizing content from web
pages where filtering on a host doesn't work? You cannot specify a
domain to block. You cannot specify a substring in a URL to block ads
delivering on-domain at the site you visit. I believe you mentioned
using an external but local proxy (Acrylic DNS) where you could do some
more filtering. Does that let you filter on URL substrings or only on
domains (since DNS only returns IP address for hosts or domains and not
on URL substrings)? I would be interested in trialing Acrylic but only
if it let me filter on more than just FQDNs. I'm not sure a program
designed to be a local DNS cache (is it better thant the DNS Client
service already in Windows?) would have a URL filter feature. I usually
only find that in some firewalls and a few anti-virus programs.
I know you're going to deny visiting there because of their use of
scripts and Flash, but say you visited YouTube. Filtering out on the
URL substrings of "*/iv3_module*" and "*/annotations_invideo*" get rid
of those annoying annotation popups that show during playback of the
video. Can you do that with Acrylic DNS?
If I only wanted to filter out on hosts or entire domains, I could use
OpenDNS which has their wildcarded blacklist (but only works on the
domain portion of a URL and nothing in the path or attributes sections).
It was very handy. Alas, the free account only permits up to 50 entries
yet I could get a lot of impolite ad crap removed using that. Like you,
I could blacklist *.doubleclick.com and *.doubleclick.net (I'm not sure
I'd try *.doubleclick.*). Also like you, I'd have to install some
software to facilitate that DNS approach to filtering out unwanted
content: their DNS updater client. This reports my current dynamically
assigned IP address from my ISP to my OpenDNS account so it know what
rules from which account to apply to DNS queries coming from me. The
only reason I stopped using OpenDNS is their use of a "helper" page. On
a failed DNS lookup, they didn't return a fail status but instead
returned a success status because they delivered their helper page. My
family liked it because incorrect URLs resulted in giving them an
automatic search. I didn't care to get a helper page using redirection
links to record my web nagivation; i.e., OpenDNS became themself a
tracker. I also didn't like their attitude that they would punish you
by disabling many handy features if you disabled their helper page. So
I could do with OpenDNS what you do with Acrylic DNS; however, OpenDNS
has the nice feature that you can select categories of sites to block
(although stay away from their Academic category and way too many sites
get miscategorized to there). In my long unused account where I had a
custom select of categories, the Web Spam, Typo Squatter, and Parked
Domains categories are selected. Also, you can report sites to them;
for example, when you find a cybersquatter then you can report that site
to OpenDNS to add to their Parked DOmains category. Now that I
discussed it again, I might go back to using OpenDNS and endure their
helper page on what should've been failed DNS lookups. I just checked
and it looks like OpenDNS took away the option to disable their helper
page so all their customers get it on DNS failures.
I haven't had the experience of needing to allow content from
somewhere I've blocked.
Consider yourself lucky that the web pages you do visit all function
properly with scripting disabled and with off-domain blocked. Or you
simply didn't realize this blocking was the result of some abnormal
operation at the site you visited. When employing all this blocking,
blacklisting, content modification, DNS and URL filtering, web browser
feature disabling, anti-virus, firewall, and everything else used to
modify the web experience or to enhance security or privacy, it can be
sometimes very difficult to know where to begin to resolve the issue.
So... as long as you don't own the Internet, I think I'll continue
to use a HOSTS file. Hopefully you won't lose too much sleep
over it.
If you're using a hosts file or blacklists in proxies or web browser
add-ons to eliminate the noise in web pages then those methods are
successful. However, often users cite a hosts file or blacklist as also
a privacy measure to prevent tracking your web navigation and that's
just naive or logic stuck back to how tracking was done a decade ago.
Hiding or obfuscating your "Internet identity" requires a hell of a lot
more work than just sliding in a hosts file or using blacklists.
I only suggest using using a hosts file but usually recommend something
more robust merely to neaten up the web pages. Get rid of those
multiple "download" links where only one of them is the program you
wanted to download. Get rid of Intellitext popups that obliterate the
text you were just trying to read. Eliminate ads that startle you with
sound, flashing banners, or extend outside the region the web site
intended for their display. For that, whatever method you like to
reduce that noise is okay. You're reacting to rudeness. It's just that
some methods let you more easily toggle between blocked and unblocked
state. As for avoiding getting tracked, those blacklists are as
[im]potent as a "Do Not Disturb" sign hanging from a door knob. How to
track you has long gone beyond just blocking some off-domain content.
